Skip to content

Putting your SOX on one Document at a time, paths to Document Compliance

June 17, 2008

DOCUMENT STORAGE REQUIREMENTS

Sarbanes-Oxley and related regulations have an immediate and permanent effect upon storage and backup strategies and procedures, both for ordinary documents and for e-mail — which presents a special case. The regulations are primarily aimed specifically at financial documents, but it can easily be seen that the need to maintain audit trails and document transactions results in a “best practices” solution that includes most documents generated within the enterprise.

Affected Documents

While the central focus of Sarbanes-Oxley is upon financial records, the general provisions calling for support of audit results and retrieval of documents (including messaging) that may be required in an investigation effectively call for the storage safeguards to be applied to all documents. This is also a reasonable practice, in that it makes it unnecessary to decide which documents might be relevant, and also ensures that new regulatory requirements that might increase the scope of required records can be met.

Specific items that must be included are financial documents, including:

  • Individual accounts or groups of related accounts,

  • Footnote disclosures included in financial statements,

  • All line items and notes, and

  • All footnote disclosers included in published financial statements.

The need to maintain an audit trail extends this requirement into transaction-and task-related documents and communications. Priority must be given to the financial records themselves, though other material must also be accessible.

General Storage Rules

Compliance requires an assessment of backup and restore strategies, records archiving, and long-term data retention. All records, including e-mail and instant messaging, must be indexed, and this index needs to be easily searchable. Audit capability is also required to determine if anyone has attempted to tamper with storage. Records stored for more than seven years still need to be accessed. In associated business processes, access to records must be improved, security must be tighter, and detailed record keeping of backup and storage is necessary.

Compliance requires:

  • That record integrity be protected for the whole specified retention period. Records must be stored in a way that they cannot be altered, and access to records must be traceable.

  • Records must be available within a reasonable period of time.

  • Physical security of storage media must also be maintained. This can be ensured by placing duplicate copies of data on separate media stored in different locations.

  • Access to storage locations must also be monitored and recorded. Procedures need to be put into place to track and manage access to media as a part of compliance strategy.

  • Reliability of the drives and media selected for storage are also important. Higher reliability requirements mean that better quality solutions will be needed.

  • All workstations now need to be included in the backup strategy, including all email, instant messaging messages, voice mail, and other personal data.

  • Automated storage of data, particularly financial data, will be required on a regular basis with sufficient granularity to support “Real-Time Disclosure.” This data collection will need to be continuous and non-disruptive to the operations of the enterprise; it also must be saved in a form that can be certified as unaltered.

  • Access to archived data within a reasonable time also becomes important. Access is made more difficult by the vast increase in the amount of storage required, as well as in the need to provide some form of indexing and database access.

Far more than equipment, storage managers need management and operations processes that can demonstrably ensure internal storage infrastructure controls comply with the auditing framework followed by the company. This emphasis on process comes from the Act itself, which states that companies must file an internal control statement with its annual report that includes “an assessment, as of the end of the most recent fiscal year…of the effectiveness of the internal control structures and procedures of the issuer for financial reporting.” This means that, not only must the data be retained, but that companies must demonstrate that the financial information is being managed and protected in an appropriate way to ensure compliance. Storage groups must identify and document processes and establish reporting procedures to demonstrate that storage management policies and processes are in compliance. Specific areas that need to be considered are:

  • Data protection. Data security, and management of backup and restore operations.

  • Data availability. Policies related to access and retrieval of data from current and archival sources.

  • Data recovery. Includes disaster recovery.

General areas that need to be considered in each of these areas include:

  • Ensuring policies exist, are properly documented, and conform to legal and compliance requirements.

  • Processes are supported by policy and are followed.

  • Reporting is in place to provide an audit trail and evidence of compliance.

  • A validation process exists, including testing of controls, processes, and reporting.

Many of the requirements of Sarbanes-Oxley are really a finetuning of existing best practices in storage management. IT audit frameworks, such as COBIT, specify adherence to “good practice” standards, which would be true of a Sarbanes-Oxley compliant architecture.

Sarbanes-Oxley requires a more sophisticated view of storage than is commonly held at many corporations. The tendency has always been to treat data as data – that is, one undifferentiated byte stream to be managed and stored in case of systems failure. However, Sarbanes-Oxley requires differentiation between critical and routine data, and it requires access to data that has been placed in long-term storage.

E-Mail Storage Rules

In today’s business environment, e-mail has taken on a special importance, because it is now often the preferred communications medium for agreements, contracts, approvals, and work discussions. Effective e-mail archiving, however, requires filtering to ensure efficient spending, since there is an enormous amount of spam and other unwanted or irrelevant e-mail. Storage of e-mail also provides an audit trail for any litigation the company may be involved in.

Although the requirements for email storage are similar to those for other records, the nature and content of messaging creates a number of special problems. First of all, messages are ubiquitous and tend to be stored locally, at the workstation level. Second, the volume is extraordinarily high, and without filtering can include wholly nonessential items such as advertising and spam. Third, messages can contain documents and other material, and are likely to be of direct relevance to any investigation of transactions.

Although message archiving systems have been available for some time, Sarbanes-Oxley and related regulations add a special urgency to putting an adequate solution in place that provides capability to centrally store all relevant messages as well as permitting search and retrieval of messages in storage. New systems are now coming on the market specifically designed to meet these requirements.

Special requirements include:

  • Compliance with regulations specific to e-mail.

  • Secure and tamperproof archiving.

  • User access controls and an audit trail.

  • Smart indexing and archive searching.

  • Management of storage media and libraries

Advertisements
No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: